CN114301671A - Network intrusion detection method, system, device and storage medium - Google Patents
Network intrusion detection method, system, device and storage medium Download PDFInfo
- Publication number
- CN114301671A CN114301671A CN202111623254.5A CN202111623254A CN114301671A CN 114301671 A CN114301671 A CN 114301671A CN 202111623254 A CN202111623254 A CN 202111623254A CN 114301671 A CN114301671 A CN 114301671A
- Authority
- CN
- China
- Prior art keywords
- automaton
- rule
- sub
- text
- bit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 71
- 230000014509 gene expression Effects 0.000 claims abstract description 70
- 239000011159 matrix material Substances 0.000 claims abstract description 64
- 239000013598 vector Substances 0.000 claims abstract description 44
- 238000000034 method Methods 0.000 claims abstract description 37
- 238000004364 calculation method Methods 0.000 claims abstract description 19
- 238000012546 transfer Methods 0.000 claims abstract description 18
- 230000006870 function Effects 0.000 claims abstract description 17
- 230000004044 response Effects 0.000 claims abstract description 15
- 230000002265 prevention Effects 0.000 claims description 11
- 239000012634 fragment Substances 0.000 claims description 7
- 238000003491 array Methods 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 5
- 238000007781 pre-processing Methods 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000002474 experimental method Methods 0.000 description 4
- 101100218644 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) BFA1 gene Proteins 0.000 description 3
- 230000006835 compression Effects 0.000 description 3
- 238000007906 compression Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a network intrusion detection method, a system, equipment and a storage medium, wherein the method comprises the following steps: under the condition that a network event is detected, characters contained in a text character string in a network data packet of the network event are sequentially converted into bit matrixes, the bit matrixes are sequentially input into an automaton, Boolean matrix multiplication between bit vectors representing states and the bit matrixes is iteratively calculated in the automaton, and state skip is executed in response to the calculation result of the Boolean matrix multiplication, wherein the automaton is obtained by encoding feature vectors according to rule character strings of a feature rule regular expression, the rule character strings of the feature rule regular expression represent the states and state transfer functions of the automaton, and under the condition that the automaton outputs a rule matching result, corresponding network intrusion protection decisions are executed on the network event in response to the rule matching result. The invention can quickly respond to network intrusion detection, obtain better balance among preprocessing time, matching speed and memory occupation, and is more suitable for dynamic network scenes.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, system, device, and storage medium for network intrusion detection.
Background
In the big data era, network security has become a significant social concern. The traditional firewall can not completely meet the requirement of network protection, and a network intrusion detection system becomes a supplementary key means.
Most of the current intrusion detection systems in the market adopt a pattern matching-based feature detection method, which uses a Non-Deterministic Finite Automata (NFA) or a Deterministic Finite Automata (DFA) to match a regular expression set and a network data packet. Like the DFA, the NFA consumes strings of input symbols, transforming to a new state for each input symbol until all input symbols are exhausted.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the invention and therefore may include information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
The present invention is directed to a method, a system, a device and a storage medium for network intrusion detection, which overcome the difficulties of the prior art, and can quickly respond to network intrusion detection, thereby obtaining better trade-off between preprocessing time, matching speed and memory usage.
The embodiment of the invention provides a network intrusion detection method, which comprises the following steps:
under the condition that the network event is detected, sequentially converting characters contained in a text character string in a network data packet of the network event into a bit matrix;
inputting bit matrixes into an automaton in sequence, calculating Boolean matrix multiplication between bit vectors representing states and the bit matrixes in the automaton in an iterative manner, and executing state jump in response to the calculation result of the Boolean matrix multiplication, wherein the automaton is obtained by encoding feature vectors according to regular character strings of a feature regular expression, and the regular character strings of the feature regular expression represent the states and state transfer functions of the automaton;
and under the condition that the automaton outputs a rule matching result, responding to the rule matching result, and executing a corresponding network intrusion prevention decision on the network event.
Optionally, sequentially converting characters included in a text string in a network packet of a network event into a bit matrix, including:
extracting a target text segment from a network data packet, and sequentially converting characters contained in a text character string of the target text segment into a bit matrix;
inputting the bit matrix into an automaton in sequence, comprising:
and inputting the bit matrixes obtained by converting the target text fragments into the automaton in sequence.
Optionally, before extracting the target text segment from the network data packet, the network intrusion detection method further includes:
dividing a network data packet of a network event into a plurality of text segments, extracting sub-text character strings from text character strings of each text segment of the network data packet, and sequentially converting characters contained in the sub-text character strings into sub-bit matrixes;
sequentially inputting the sub-bit matrixes into a sub-automaton, iteratively calculating Boolean matrix multiplication between sub-feature vectors representing states and the sub-bit matrixes in the sub-automaton and responding to the calculation result of the Boolean matrix multiplication to execute state jump, wherein the sub-automaton is obtained by encoding feature vectors of sub-rule character strings contained in rule character strings of a feature rule regular expression;
and under the condition that the sub-automatic machine outputs the matching result of the sub-text character strings, responding to the matching result of the sub-text character strings to obtain the matched sub-text character strings, and selecting the target text segments to which the matched sub-text character strings belong from the text character strings of the plurality of text segments.
Optionally, in a case where a plurality of matched sub-text strings are obtained in response to a sub-text string matching result, before all bit matrices obtained by converting the target text segment are sequentially input to the automaton, the network intrusion detection method further includes:
obtaining a corresponding sub-rule character string by using each matched sub-text character string, and obtaining a target characteristic regular expression to which the sub-rule character string belongs;
the bit matrixes obtained by converting the target text fragments are all input into the automaton in sequence, and the method comprises the following steps:
under the condition of obtaining a target automaton constructed by using a target characteristic rule regular expression, bit matrixes obtained by converting target text segments are all sequentially input into the target automaton.
Optionally, in a case that a target automaton constructed by using a target feature rule regular expression is obtained, before bit matrices obtained by converting target text segments are all sequentially input into the target automaton, the network intrusion detection method further includes:
and carrying out feature vector coding by using the regular character string of the target feature regular expression to obtain the target automaton.
Optionally, obtaining a corresponding sub-rule character string by using each matched sub-text character string, and obtaining a target feature rule regular expression to which the sub-rule character string belongs, including:
selecting a target character string array belonging to the subset of the first character string array from a plurality of second character string arrays, wherein each second character string array is constructed by utilizing a plurality of sub-rule character strings in each feature rule regular expression;
and searching a target characteristic rule regular expression according to the characteristic rule identification marked by the target character string array.
Optionally, the network intrusion prevention decision is release, interception or alarm. Preferably … …
An embodiment of the present invention further provides a network intrusion detection system, configured to implement the above network intrusion detection method, where the network intrusion detection system includes:
the bit matrix conversion module is used for sequentially converting characters contained in a text character string in a network data packet of a network event into a bit matrix under the condition that the network event is detected;
the regular matching module inputs the bit matrixes into the automaton in sequence, calculates Boolean matrix multiplication between bit vectors representing states and the bit matrixes in the automaton in an iterative manner, and executes state skip in response to the calculation result of the Boolean matrix multiplication, wherein the automaton is obtained by encoding the feature vectors according to the regular character strings of the feature regular expression, and the regular character strings of the feature regular expression represent the states and the state transfer functions of the automaton;
and the decision execution module responds to the rule matching result and executes a corresponding network intrusion protection decision on the network event under the condition that the automaton outputs the rule matching result.
An embodiment of the present invention further provides a network intrusion detection device, including:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the network intrusion detection method described above via execution of executable instructions.
Embodiments of the present invention also provide a computer-readable storage medium for storing a program, where the program is executed to implement the steps of the network intrusion detection method.
The invention aims to provide a network intrusion detection method, a system, equipment and a storage medium, wherein an automaton used by the invention is a finite automaton BFA based on bits, in a matching stage, a state jump process is converted into Boolean matrix multiplication of a bit vector and a bit matrix, the optimization is carried out by utilizing built-in bit operation and a parallel instruction set in a CPU, and the size of the space occupied by a state transfer table is reduced by a bitmap compression technology. The character string matching process based on the bit occupies small memory and has smaller calculation amount. Experiments based on real flow and rules show that the rule preprocessing time and memory occupation of BFA are far superior to those of a DFA method, the matching speed is 10-100 times higher than that of an NFA method, and network intrusion detection can be quickly responded. The scheme of the method can obtain better balance among preprocessing time, matching speed and memory occupation, and is more suitable for dynamic network scenes.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, with reference to the accompanying drawings.
FIG. 1 is a flow chart of one embodiment of a network intrusion detection method of the present invention;
FIG. 2 is a schematic diagram of the network intrusion detection method of the present invention;
FIG. 3 is a flow chart of a second embodiment of a network intrusion detection method according to the present invention;
FIG. 4 is a flow chart of a third embodiment of a network intrusion detection method of the present invention;
FIG. 5 is a flow chart of a fourth embodiment of a network intrusion detection method of the present invention;
FIG. 6 is a flow chart of a fifth embodiment of a network intrusion detection method of the present invention;
FIG. 7 is a block diagram of one embodiment of a network intrusion detection system of the present invention;
FIG. 8 is a block diagram of a second embodiment of a network intrusion detection system according to the present invention;
FIG. 9 is a block diagram of a third embodiment of a network intrusion detection system according to the present invention;
FIG. 10 is a block diagram of a fourth embodiment of a network intrusion detection system of the present invention;
fig. 11 is a schematic diagram of the operation of the network intrusion detection system of the present invention.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
The drawings are merely schematic illustrations of the invention and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware forwarding modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In addition, the flow shown in the drawings is only an exemplary illustration, and not necessarily includes all the steps. For example, some steps may be divided, some steps may be combined or partially combined, and the actual execution sequence may be changed according to the actual situation. The use of "first," "second," and similar terms in the detailed description is not intended to imply any order, quantity, or importance, but rather is used to distinguish one element from another. It should be noted that features of the embodiments of the invention and of the different embodiments may be combined with each other without conflict.
The inventor finds in practice that both NFA and DFA have their respective limitations and cannot fully and efficiently meet the performance requirements of intrusion detection systems in terms of space-time complexity.
NFA is a finite state automaton that can have multiple possible next states for each state and input character pair. For NFA, for length n regularization, the spatial complexity is O (n), but it may occur that multiple states are active simultaneously, with temporal complexity up to O (n ^ 2). Constructing the NFA results in too slow a matching speed due to uncertainty in state transitions.
For DFA, a specific symbol input has and can only get one state, i.e. all state jumps are determined to be unique, the time complexity is O (1), but the space consumption is huge, and the space complexity is high for the regular n length (i | | ^ n) (| Σ | is the number of elements in the input character set). Therefore, the memory explosion situation may occur to all the regular structured DFAs.
The embodiment of the invention provides a novel network intrusion detection method, which comprises the steps of utilizing a network intrusion detection rule set regular expression, extracting a target character string from the regular expression, utilizing the target character string to obtain a bit vector based on a bit memory, and utilizing the bit vector to encode a state and a state transfer function in a target automaton to obtain an automaton engine. Thus, under the condition that the network data packet is detected, the bit matrix of the text data is obtained according to the network data packet, the bit matrix is input into the automaton engine, Boolean matrix multiplication is calculated in the automaton engine by utilizing the bit matrix of the text data and the bit vector of the text data, and the state jump result is obtained according to the calculation result.
The target automaton in the embodiment of the invention can be called a finite automaton BFA (bit based FA) based on bit, and experiments based on real flow and rules show that the rule preprocessing time and the memory occupation of the BFA are far superior to those of the DFA method, the matching speed is 10 to 100 times higher than that of the NFA method, and the network intrusion detection can be quickly responded.
Fig. 1 is a flow chart of an embodiment of a network intrusion detection method of the present invention. As shown in fig. 1, an embodiment of the present invention provides a network intrusion detection method, which specifically includes the following steps:
step 110: under the condition that the network event is detected, sequentially converting characters contained in a text character string in a network data packet of the network event into a bit matrix;
step 120: inputting bit matrixes into an automaton in sequence, calculating Boolean matrix multiplication between bit vectors representing states and the bit matrixes in the automaton in an iterative manner, and executing state jump in response to the calculation result of the Boolean matrix multiplication, wherein the automaton is obtained by encoding feature vectors according to regular character strings of a feature regular expression, and the regular character strings of the feature regular expression represent the states and state transfer functions of the automaton;
step 130: and under the condition that the automaton outputs a rule matching result, responding to the rule matching result, and executing a corresponding network intrusion prevention decision on the network event.
The feature rule of this embodiment is a network intrusion detection rule constructed according to data features summarized from historical network events. Regular expressions are a logical formula for operating on character strings (including common characters (e.g., letters between a and z) and special characters (called meta characters)), and a "regular character string" is formed by using specific characters defined in advance and a combination of the specific characters, and is used for expressing a filtering logic for the character string. A regular expression is a text pattern that describes one or more strings of characters to be matched when searching for text.
In this case, the rule string extracted from the regular expression describes the state of the feature rule and a state transition function for defining a rule of state switching so as to judge whether to shift to the next state according to the input variable.
Under the condition that the regular character string is extracted from the characteristic regular expression, the bit vector is obtained by obtaining the state and the state transfer function of the automaton according to the regular character string and coding the bit vector of the state and the state transfer function.
The text string disclosed in this embodiment is text data carried by a network data packet, and is a detected or matched object. The automaton of the embodiment of the invention uses bit vector coding states and state transfer functions, each state corresponds to a specific bit vector, and whether to jump to the next state is judged by calculating bit matrix multiplication on a bit matrix of a character corresponding to the current state. The boolean matrix multiplication is thus regarded as a state transfer function, the result of which is used to decide whether to jump to the next state or not.
And if the next state is jumped to, indicating that the characters of the text character string corresponding to the current input bit matrix are matched with the feature rule, wherein the feature rule is matched with the preset characters. When all characters in the text character string are matched, the automaton jumps to a final state, a rule matching result is output at the moment, and the rule matching result triggers execution of a corresponding decision.
The automaton of the embodiment of the invention is a finite automaton BFA based on bit, in the matching stage, the state jump process is converted into Boolean matrix multiplication of a bit vector and a bit matrix, the optimization is carried out by utilizing built-in bit operation and a parallel instruction set in a CPU, and the size of the space occupied by a state transfer table is reduced by a bitmap compression technology. The bit-based text string matching process occupies small memory and has smaller calculation amount. Experiments based on real flow and rules show that the rule preprocessing time and memory occupation of BFA are far superior to those of a DFA method, the matching speed is 10-100 times higher than that of an NFA method, and network intrusion detection can be quickly responded. The scheme of the method can obtain better balance among preprocessing time, matching speed and memory occupation, and is more suitable for dynamic network scenes.
For example, for the regular rule ab. Where states 0, 1, 2, 3, 4 are involved, including characters a, b, c, d. When states 0 and 2 are active, then states 0, 2, and 3 are all active after character c is entered.
The NFA shown in fig. 2 is converted to BFA. The state of the automaton can be characterized by using a bit vector, and each character obtained in the character string can be characterized by using a bit matrix. For example, states 0 and 2 are both active, characterized by:
[1 0 1 0 0]
wherein 1 represents activated and 0 represents not activated;
at the time of character c input, the state jump is calculated as follows:
it can be seen that 0, 2 and 3 are all activated.
Therefore, NFA-based regular expressions can be converted to BFA. In an alternative embodiment, DFA-based regular expressions can also be converted to BFA. In the matching stage, Boolean matrix multiplication is calculated for the bit matrix of the input character and the bit vector representing the current state of the automaton engine, whether to jump to the next state is further determined according to the calculation result, and when the final state is also activated, a corresponding characteristic rule is triggered to execute a corresponding decision.
In alternative embodiments, the network intrusion prevention decision is to release, intercept or alarm a network event, which is not limited herein.
In an alternative embodiment, the automaton may be pre-constructed. Referring to fig. 3, an automaton can be constructed using the following method:
step 310: acquiring a regular expression of a feature rule for network intrusion detection, and extracting a rule character string from the regular expression, wherein the rule character string of the feature rule regular expression represents the state and a state transfer function of an automaton;
step 320: and carrying out feature vector encoding according to the regular character string of the feature regular expression to obtain the automaton constructed based on the bit vector.
Fig. 4 is a flowchart of a network intrusion detection method according to another embodiment of the present invention, and referring to fig. 4, the method may include the following steps:
step 410: under the condition that a network event is detected, extracting a target text segment from a network data packet of the network event, and sequentially converting characters contained in a text string of the target text segment into a bit matrix;
step 420: inputting bit matrixes obtained by converting target text segments into an automaton in sequence, iteratively calculating Boolean matrix multiplication between bit vectors representing states and the bit matrixes in the automaton and executing state jump in response to the calculation result of the Boolean matrix multiplication, wherein the automaton is obtained by encoding feature vectors according to regular character strings of a feature regular expression, and the regular character strings of the feature regular expression represent the states and state transfer functions of the automaton;
step 430: and under the condition that the automaton outputs a rule matching result, responding to the rule matching result, and executing a corresponding network intrusion prevention decision on the network event.
In this embodiment, the target text segment is a text segment in the network data packet, so that the length of the text string to be matched by the automaton is shortened, which can improve the matching efficiency of the automaton.
In this case, in reality, the regular expression of the feature rules faced by the automaton is also short.
In an optional embodiment, the automaton can respectively perform feature rule matching on a plurality of target text segments, and once the text strings of one or more text segments are matched with the feature rules, the automaton can output rule matching results and trigger execution of network intrusion prevention decisions.
In alternative embodiments, the target text segment may be a partial text segment or a full text segment in the network packet.
In an alternative embodiment, referring to fig. 5, the present invention provides another network intrusion detection method, which specifically includes the following steps:
step 510: under the condition that a network event is detected, a network data packet of the network event is divided into a plurality of text segments, a sub-text character string is extracted from a text character string of each text segment, and characters contained in the sub-text character string are sequentially converted into a sub-bit matrix;
step 520: sequentially inputting the sub-bit matrixes into a sub-automaton, iteratively calculating Boolean matrix multiplication between sub-feature vectors representing states and the sub-bit matrixes in the sub-automaton and responding to the calculation result of the Boolean matrix multiplication to execute state jump, wherein the sub-automaton is obtained by encoding feature vectors of sub-rule character strings contained in rule character strings of a feature rule regular expression;
step 530: under the condition that the sub-automatic machine outputs the matching result of the sub-text character strings, responding to the matching result of the sub-text character strings to obtain the matched sub-text character strings, and selecting the target text segments to which the matched sub-text character strings belong from the text character strings of the plurality of text segments;
step 540: sequentially converting characters contained in a text string of a target text fragment into a bit matrix;
step 550: inputting bit matrixes obtained by converting target text character strings into an automaton in sequence, calculating Boolean matrix multiplication between bit vectors representing states and the bit matrixes in the automaton in an iterative manner, and executing state jump in response to the calculation result of the Boolean matrix multiplication, wherein the automaton is obtained by encoding feature vectors according to regular character strings of a feature regular expression, and the regular character strings of the feature regular expression represent states and state transfer functions of the automaton;
step 560: and under the condition that the automaton outputs a rule matching result, responding to the rule matching result, and executing a corresponding network intrusion prevention decision on the network event.
In this embodiment, a sub-automaton and an automaton are respectively constructed for a sub-rule character string in a feature rule and a rule character string with a complete feature rule, where the sub-automaton is used to match a sub-text character string, and the automaton is used to match a complete text segment.
Under the condition, the sub-automaton plays a role in filtering and filters unmatched sub-text character strings and the text segments to eliminate partial text segments, so that the text matching efficiency and precision of the subsequent automaton are improved, the memory consumption of the automaton is reduced, the network intrusion detection efficiency is improved, and the balance among the preprocessing time, the matching speed and the memory occupation is obtained.
In an optional embodiment, in a case where a plurality of matched sub-text strings are obtained in response to a sub-text string matching result, before all bit matrices obtained by converting a target text segment are sequentially input to the automaton, the network intrusion detection method further includes:
obtaining a corresponding sub-rule character string by using each matched sub-text character string, and obtaining a target characteristic regular expression to which the sub-rule character string belongs;
the bit matrixes obtained by converting the target text fragments are all input into the automaton in sequence, and the method comprises the following steps:
under the condition of obtaining a target automaton constructed by using a target characteristic rule regular expression, bit matrixes obtained by converting target text segments are all sequentially input into the target automaton.
In this embodiment, the automata is screened by using the matched sub-text character string to obtain the target automata, and the target automata is constructed by using the feature rule regular expression including the sub-text character string, so that the corresponding target text segment can be more accurately matched with the feature rule.
In addition, the number of final automata is further reduced, the calculation amount of text matching and the corresponding memory consumption can be reduced, and the network intrusion detection efficiency is improved.
In an alternative embodiment, the target automaton may be constructed in real-time. In this case, in the case of acquiring a target automaton constructed by using a target feature rule regular expression, before all bit matrices obtained by converting target text segments are sequentially input to the target automaton, the network intrusion detection method further includes:
and carrying out feature vector coding by using the regular character string of the target feature regular expression to obtain the target automaton.
In an alternative embodiment, the target automaton can be selected from the constructed automaton by using the identification information of the target feature rule regular expression.
In an optional embodiment, obtaining the corresponding sub-rule character string by using each matched sub-text character string, and obtaining the target feature rule regular expression to which the sub-rule character string belongs, includes:
constructing a first character string array by using a plurality of matched sub-text character strings;
selecting a target character string array belonging to the subset of the first character string array from a plurality of second character string arrays, wherein each second character string array is constructed by utilizing a plurality of sub-rule character strings in each feature rule regular expression;
and searching the target characteristic rule regular expression in the plurality of characteristic rule regular expressions according to the characteristic rule identification corresponding to the target character string array.
Since the second character string array is constructed from the precise sub-rule character strings extracted from the specific feature rule regular expression, once the second character string array constructed based on the sub-rule character strings falls into the first character string array, it indicates that the feature rule regular expression corresponding to the second character string array has a high probability that the feature rule regular expression can specially or more precisely perform feature rule matching on the target text segment to which the matched sub-rule character string belongs.
In an alternative embodiment, the sub-text strings in the second string array are ordered in accordance with the sub-rule strings in the first string array, such as alphabetically. Thus, when the subset judgment is carried out, the target automaton can be matched more accurately.
Fig. 6 is a system analysis flowchart of a network intrusion detection method according to an embodiment of the present invention, and referring to fig. 6, the method specifically includes the following automaton construction stage and a specific network intrusion detection stage.
The automaton construction phase comprises the following steps:
step 610: extracting as many precise rule character strings as possible from each rule regularization;
step 620: removing the duplication of the extracted precise rule character strings, sequentially storing the extracted precise rule character strings into an array a, and recording array subscripts corresponding to the precise rule character strings corresponding to each rule, wherein the array a corresponds to the second character string array above;
step 630: the automaton BFA1 is constructed using the array a of pre-stored exact strings, which BFA1 corresponds to the child automaton above.
The network intrusion detection stage based on text matching comprises the following steps:
step 640: segmenting according to the text characteristics;
step 650: the segmented texts enter BFA1 in sequence to be detected, the matched sub-text character string set is stored in an array b, and quick sequencing is carried out according to the sequence of the array a;
step 660: using binary search to find the rule belonging to the subset of the matched sub-text character string set of the array a;
step 670: traversing the filtered rule set, constructing an automaton BFA2, and performing accurate regular matching on the text;
step 680: and executing an interception, alarm or release strategy according to the trigger rule.
Fig. 7 is a block diagram of an embodiment of a network intrusion detection system of the present invention. The network intrusion detection system of the present invention, as shown in fig. 7, includes but is not limited to:
a bit matrix conversion module 710, which converts the characters contained in the text character string in the network data packet of the network event into a bit matrix in sequence under the condition that the network event is detected;
the regular matching module 720 inputs the bit matrixes into the automaton in sequence, iteratively calculates Boolean matrix multiplication between bit vectors representing states and the bit matrixes in the automaton and executes state skip in response to the calculation result of the Boolean matrix multiplication, wherein the automaton is obtained by encoding feature vectors according to the regular character strings of the feature regular expression, and the regular character strings of the feature regular expression represent the states and state transfer functions of the automaton;
and the decision execution module 730 responds to the rule matching result and executes a corresponding network intrusion prevention decision on the network event under the condition that the automaton outputs the rule matching result.
The implementation principle of the above modules is described in the network intrusion detection method, and is not described herein again.
The automaton used by the network intrusion detection system is a finite automaton BFA based on bit, in the matching stage, the state jump process is converted into Boolean matrix multiplication of a bit vector and a bit matrix, the optimization is carried out by utilizing built-in bit operation and a parallel instruction set in a CPU, and the size of the space occupied by a state transfer table is reduced by a bitmap compression technology. The character string matching process based on the bit occupies small memory and has smaller calculation amount. Experiments based on real flow and rules show that the rule preprocessing time and memory occupation of BFA are far superior to those of a DFA method, the matching speed is 10-100 times higher than that of an NFA method, and network intrusion detection can be quickly responded. The scheme of the method can obtain better balance among preprocessing time, matching speed and memory occupation, and is more suitable for dynamic network scenes.
Optionally, the bit matrix conversion module 710 is specifically configured to:
extracting a target text segment from a network data packet, and sequentially converting characters contained in a text character string of the target text segment into a bit matrix;
the canonical matching module 720 is specifically configured to:
and inputting the bit matrixes obtained by converting the target text fragments into the automaton in sequence.
Optionally, compared with fig. 7, the network intrusion detection system shown in fig. 8 further includes:
the sub-bit matrix conversion module 810, before extracting a target text segment from a network data packet, divides the network data packet of a network event into a plurality of text segments, extracts a sub-text string from a text string of each text segment of the network data packet, and sequentially converts characters contained in the sub-text string into a sub-bit matrix;
and the sub-text string matching module 820 inputs the sub-bit matrixes into the sub-automaton in sequence, calculates Boolean matrix multiplication between the sub-feature vectors representing the states and the sub-bit matrixes in the sub-automaton in an iterative manner, and executes state jump in response to the calculation result of the Boolean matrix multiplication, wherein the sub-automaton is obtained by encoding the feature vectors of the sub-rule strings contained in the rule strings of the feature rule regular expression.
The text segment selecting module 830, under the condition that the sub-automaton outputs the matching result of the sub-text character strings, obtains the matched sub-text character strings in response to the matching result of the sub-text character strings, and selects the target text segments to which the matched sub-text character strings belong from the text character strings of the plurality of text segments.
Optionally, compared with fig. 8, the network intrusion detection system shown in fig. 9 further includes:
an obtaining module 910, configured to, when a plurality of matched sub-text character strings are obtained in response to a sub-text character string matching result, obtain a corresponding sub-rule character string by using each matched sub-text character string before bit matrices obtained by converting a target text segment are sequentially input to the automaton, and obtain a target feature rule regular expression to which the sub-rule character string belongs;
the regular matching module 920 is specifically configured to, under the condition that a target automaton constructed by using a target feature rule regular expression is obtained, sequentially input bit matrices obtained by converting target text segments into the target automaton.
Optionally, the obtaining module 910 is specifically configured to:
selecting a target character string array belonging to the subset of the first character string array from a plurality of second character string arrays, wherein each second character string array is constructed by utilizing a plurality of sub-rule character strings in each feature rule regular expression;
and searching a target characteristic rule regular expression according to the characteristic rule identification marked by the target character string array.
Optionally, compared with fig. 9, the network intrusion detection system shown in fig. 10 further includes:
the automaton constructing module 1010 is configured to perform feature vector encoding by using the regular character strings of the target feature regular expression to obtain the target automaton before the bit matrixes obtained by converting the target text segments are sequentially input into the target automaton under the condition that the target automaton constructed by using the target feature regular expression is obtained.
The embodiment of the invention also provides network intrusion detection equipment which comprises a processor. A memory having stored therein executable instructions of the processor. Wherein the processor is configured to perform the steps of the network intrusion detection method via execution of the executable instructions.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" platform.
Fig. 11 is a schematic structural diagram of a network intrusion detection device of the present invention. An electronic device 1100 according to this embodiment of the invention is described below with reference to fig. 11. The electronic device 1100 shown in fig. 11 is only an example and should not bring any limitations to the function and the scope of use of the embodiments of the present invention.
As shown in fig. 11, electronic device 1100 is embodied in the form of a general purpose computing device. The components of the electronic device 1100 may include, but are not limited to: at least one processing unit 1110, at least one memory unit 1120, a bus 1130 connecting the different platform components (including the memory unit 1120 and the processing unit 1110), a display unit 1140, etc.
Wherein the storage unit stores program code, which can be executed by the processing unit 1110 to cause the processing unit 1110 to perform the steps according to various exemplary embodiments of the present invention described in the network intrusion detection method section above in this specification. For example, processing unit 1110 may perform the steps as shown in fig. 1-6.
The storage unit 1120 may include readable media in the form of volatile storage units, such as a random access memory unit (RAM)1121 and/or a cache memory unit 1122, and may further include a read-only memory unit (ROM) 1123.
The storage unit 1120 may also include a program/utility 1124 having a set (at least one) of program modules 1125, such program modules 1125 including, but not limited to: a processing system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 1100 may also communicate with one or more external devices 1170 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 1100, and/or any devices (e.g., router, modem, etc.) that enable the electronic device 1100 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 1150.
Also, the electronic device 1100 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 1160. The network adapter 1160 may communicate with other modules of the electronic device 1100 via the bus 1130. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1100, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage platforms, to name a few.
The embodiment of the invention also provides a computer readable storage medium for storing the program, and the steps of the network intrusion detection method are realized when the program is executed. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention described in the … … method section above of this specification when said program product is run on the terminal device.
According to the program product for realizing the method, the portable compact disc read only memory (CD-ROM) can be adopted, the program code is included, and the program product can be operated on terminal equipment, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out processes of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The foregoing is a more detailed description of the invention in connection with specific preferred embodiments and it is not intended that the invention be limited to these specific details. For those skilled in the art to which the invention pertains, several simple deductions or substitutions can be made without departing from the spirit of the invention, and all shall be considered as belonging to the protection scope of the invention.
Claims (10)
1. A method for network intrusion detection, comprising:
under the condition that a network event is detected, sequentially converting characters contained in a text character string in a network data packet of the network event into a bit matrix;
inputting the bit matrixes into an automaton in sequence, calculating Boolean matrix multiplication between bit vectors representing states and the bit matrixes in the automaton in an iterative manner, and executing state jump in response to the calculation result of the Boolean matrix multiplication, wherein the automaton is obtained by encoding feature vectors according to regular character strings of a feature regular expression, and the regular character strings of the feature regular expression represent the states and state transfer functions of the automaton;
and under the condition that the automaton outputs a rule matching result, responding to the rule matching result, and executing a corresponding network intrusion prevention decision on the network event.
2. The method of claim 1, wherein sequentially converting characters contained in text strings in network packets of the network events into bit matrices comprises:
extracting a target text segment from the network data packet, and sequentially converting characters contained in a text string of the target text segment into a bit matrix;
inputting the bit matrix into an automaton in sequence, comprising:
and sequentially inputting the bit matrixes obtained by converting the target text fragments into the automaton.
3. The method of claim 2, wherein prior to extracting the target text segment from the network data packet, the method further comprises:
dividing a network data packet of the network event into a plurality of text segments, extracting sub-text character strings from text character strings of each text segment of the network data packet, and sequentially converting characters contained in the sub-text character strings into sub-bit matrixes;
sequentially inputting the sub-bit matrixes into a sub-automaton, iteratively calculating Boolean matrix multiplication between sub-feature vectors representing states and the sub-bit matrixes in the sub-automaton and responding to the Boolean matrix multiplication calculation result to execute state jump, wherein the sub-automaton is obtained by encoding feature vectors of sub-rule character strings contained in rule character strings of the feature rule regular expression;
and under the condition that the sub-automatic machine outputs a sub-text character string matching result, responding to the sub-text character string matching result to obtain a matched sub-text character string, and selecting a target text segment to which the matched sub-text character string belongs from the text character strings of the plurality of text segments.
4. The network intrusion detection method according to claim 3, wherein, in a case where a plurality of matched sub-text strings are obtained in response to the sub-text string matching result, before the bit matrices converted from the target text segment are all sequentially input to the automaton, the network intrusion detection method further comprises:
obtaining a corresponding sub-rule character string by using each matched sub-text character string, and obtaining a target characteristic regular expression to which the sub-rule character string belongs;
and sequentially inputting the bit matrixes obtained by converting the target text fragments into the automaton, wherein the bit matrixes comprise:
and under the condition of acquiring a target automaton constructed by using the target characteristic regular expression, sequentially inputting all bit matrixes obtained by converting the target text segments into the target automaton.
5. The method according to claim 4, wherein before the bit matrices obtained by converting the target text segments are all sequentially input to the target automata when the target automata constructed by using the target feature regular expression is obtained, the method further comprises:
and carrying out feature vector coding by using the regular character string of the target feature regular expression to obtain the target automaton.
6. The method according to claim 4, wherein the obtaining a corresponding sub-rule character string by using each matched sub-text character string and obtaining a target feature rule regular expression to which the sub-rule character string belongs comprises:
constructing a first character string array by using a plurality of matched sub-text character strings;
selecting a target character string array belonging to the subset of the first character string array from a plurality of second character string arrays, wherein each second character string array is constructed by utilizing a plurality of sub-rule character strings in each feature rule regular expression;
and searching the target characteristic rule regular expression in a plurality of characteristic rule regular expressions according to the characteristic rule identification corresponding to the target character string array.
7. The method of claim 1, wherein the network intrusion prevention decision is release, interception or alarm.
8. A network intrusion detection system, comprising:
the bit matrix conversion module is used for sequentially converting characters contained in a text character string in a network data packet of a network event into a bit matrix under the condition that the network event is detected;
the regular matching module is used for sequentially inputting the bit matrixes into an automaton, iteratively calculating Boolean matrix multiplication between bit vectors representing states and the bit matrixes in the automaton and responding to the Boolean matrix multiplication calculation result to execute state jump, wherein the automaton is obtained by coding feature vectors according to rule character strings of a feature regular expression, and the rule character strings of the feature regular expression represent the states and state transfer functions of the automaton;
and the decision execution module responds to the rule matching result and executes a corresponding network intrusion prevention decision on the network event under the condition that the automaton outputs the rule matching result.
9. A network intrusion detection device, comprising:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the steps of the network intrusion detection method of any one of claims 1 to 7 via execution of the executable instructions.
10. A computer-readable storage medium storing a program which, when executed by a processor, performs the steps of the network intrusion detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111623254.5A CN114301671A (en) | 2021-12-28 | 2021-12-28 | Network intrusion detection method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111623254.5A CN114301671A (en) | 2021-12-28 | 2021-12-28 | Network intrusion detection method, system, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114301671A true CN114301671A (en) | 2022-04-08 |
Family
ID=80971044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111623254.5A Withdrawn CN114301671A (en) | 2021-12-28 | 2021-12-28 | Network intrusion detection method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301671A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117097628A (en) * | 2023-10-19 | 2023-11-21 | 中国电子科技集团公司第五十四研究所 | Networking communication behavior identification method based on signal physical characteristic parameters |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160267142A1 (en) * | 2014-10-03 | 2016-09-15 | The Regents Of The University Of Michigan | Detecting at least one predetermined pattern in stream of symbols |
| CN110401451A (en) * | 2019-06-12 | 2019-11-01 | 中国科学院信息工程研究所 | Automatic machine space compression method and system based on character set transformation |
| CN112784127A (en) * | 2021-03-12 | 2021-05-11 | 清华大学 | Multi-string pattern matching method and device, computer equipment and storage medium |
-
2021
- 2021-12-28 CN CN202111623254.5A patent/CN114301671A/en not_active Withdrawn
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160267142A1 (en) * | 2014-10-03 | 2016-09-15 | The Regents Of The University Of Michigan | Detecting at least one predetermined pattern in stream of symbols |
| CN110401451A (en) * | 2019-06-12 | 2019-11-01 | 中国科学院信息工程研究所 | Automatic machine space compression method and system based on character set transformation |
| CN112784127A (en) * | 2021-03-12 | 2021-05-11 | 清华大学 | Multi-string pattern matching method and device, computer equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 付哲 等: "高性能正则表达式匹配算法综述", 计算机工程与应用, pages 3 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117097628A (en) * | 2023-10-19 | 2023-11-21 | 中国电子科技集团公司第五十四研究所 | Networking communication behavior identification method based on signal physical characteristic parameters |
| CN117097628B (en) * | 2023-10-19 | 2023-12-22 | 中国电子科技集团公司第五十四研究所 | Networking communication behavior identification method based on signal physical characteristic parameters |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112905421B (en) | Container abnormal behavior detection method of LSTM network based on attention mechanism | |
| CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
| WO2022227388A1 (en) | Log anomaly detection model training method, apparatus and device | |
| US11551085B2 (en) | Method, device, and computer program product for error evaluation | |
| US20170329821A1 (en) | Signature detection | |
| CN114301671A (en) | Network intrusion detection method, system, device and storage medium | |
| CN113886832A (en) | Intelligent contract vulnerability detection method, system, computer equipment and storage medium | |
| Xu et al. | DHA: Supervised deep learning to hash with an adaptive loss function | |
| CN111049839B (en) | Abnormity detection method and device, storage medium and electronic equipment | |
| CN112396166A (en) | Graph convolution neural network training method and device based on mixed granularity aggregator | |
| CN115567305B (en) | Sequential network attack prediction analysis method based on deep learning | |
| US20200394398A1 (en) | Converting unlabeled data into labeled data | |
| CN111431872A (en) | Two-stage Internet of things equipment identification method based on TCP/IP protocol characteristics | |
| JP7389860B2 (en) | Security information processing methods, devices, electronic devices, storage media and computer programs | |
| CN113688240B (en) | Threat element extraction method, threat element extraction device, threat element extraction equipment and storage medium | |
| CN113705201B (en) | Text-based event probability prediction evaluation algorithm, electronic device and storage medium | |
| CN114297022A (en) | Cloud environment anomaly detection method and device, electronic equipment and storage medium | |
| CN110650130B (en) | Industrial control intrusion detection method based on multi-classification GoogLeNet-LSTM model | |
| CN113537349A (en) | Method, device, equipment and storage medium for identifying hardware fault of large host | |
| Kartik et al. | Decoding of graphically encoded numerical digits using deep learning and edge detection techniques | |
| CN111198900A (en) | Data caching method and device for industrial control network, terminal equipment and medium | |
| CN117201138B (en) | Intelligent contract vulnerability detection method, system and equipment based on vulnerability subgraph | |
| Li et al. | Toward effective traffic sign detection via two-stage fusion neural networks | |
| CN116708313B (en) | Flow detection method, flow detection device, storage medium and electronic equipment | |
| CN114726599B (en) | Artificial intelligence algorithm-based intrusion detection method and device in software defined network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220408 |
|
| WW01 | Invention patent application withdrawn after publication |